Forwarded by: Joseph Steinberg <joseph@whale-com.com>
An intruder cannot access an internal web server in the same way as a
regular client (with a network connection) could as the e-Gap forces
thorough application-level content-inspection of user input to take
place before the data reaches the real web server. Data analysis and
content inspection is all performed on safe internal machines
(protected by the e-Gap), and because networking is not used to
transport data across the e-Gap, the only destination that the
internal system will use for retransmitting data on the internal
network is the pre-defined target machine. As such, data inspection
will occur and cannot be circumvented or tampered with from outside of
the e-Gap. This inspection includes granular analysis of URLS --
including regular expression comparisons -- (to prevent DEBUG features
from being inappropriately utilized, various types of buffer overflow
attacks, incorrectly formatted parameter problems, etc.). E-Gap can
also perform additional security checks (e.g., additional levels of
authentication at the inspection machine before a user is allowed to
even have his/her request on a network wire with the target web
server.)
The e-Gap system is composed of the e-Gap appliance and its associated
software (all the software-based system management and configuration
is done from the internal trusted side).
BTW: It is obviously not practical to build an e-Gap with a serial
cable as today’s bandwidth requirements are generally many times
greater than the typical maximum bandwidth of a serial port (115
Kbps). An individual e-Gap system has a bandwidth of almost 1000 times
greater than that of a serial port, and a high-availability e-Gap
system reaches almost 5,000 times the bandwidth.
_.._
(_.-.\ Joseph Steinberg
.-, ` Director of Technical Services
.--./ / _.-""-. Whale Communications
'-. (__..-" \
\ a | joseph@whale-com.com
',.__. ,__.-'/ (201) 947-9177 x1511
'--/_.'----'`
http://www.whalecommunications.com
Join our complimentary web-based seminar for a technical demo of
Whale's e-Gap solution (<http://www.whalecommunications.com/forum>),
Wednesday, February 14, 2001, 1:00 pm Eastern Time, 12:00 pm Central
Time, 10:00 am Pacific Time.
Visit us at SANS New Orleans (<http://www.sans.org/>) at Booth 19,
Jan. 30-31, and receive your free gift!
See us at CeBit 2001, Hannover (<http://www.cebit.de/>), Israel
National Pavilion, Hall 4, Mar 22-28.
> On Fri, Jan 12, 2001 at 08:53:13AM -0500, Ben Rothke wrote:
>> Hello,
>>
>> The air-gap products got a lot of airplay on the
>> firewall-wizards list some months back.
>>
>> Two comments that stand out in reference to the efficacy
>> of air-gap products are:
>>
>> A firewall is a tunnel, an air gap is a tunnel. And a
>> tunnel is a tunnel is a tunnel. Giving it another name doesn't
>> mean it isn't the same.
>>
>> and Roger Marquis said so poignantly: A half-duplex datastream
>> with pico-second turnaround, coupled with a micrometer gap between
>> two fiber connectors doesn't make a product anymore or less secure
>> than other firewalls.
>
> Well the one property that E-Gap does have that regular proxy
> firewalls don't is that is composed of two systems. If the
> external systems gets compromised its does not immediately mean
> the internal one will. You may still find a vulnerability in the
> internal system via the application layer (which you can do
> without breaking into the system) or you may find a vulnerability
> in the transport layer that they use to shuffle requests back and
> forth between the systems. This obviously depends on the
> complexity of the protocol and the quality of its implementation.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Mon Jan 29 03:26 CST 2001